CVE-2014-8604

XCloner 3.1.1 and 3.5.1 - Unauthenticated Exposure of MySQL Password in Configuration Panel

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8604.

AI-analyzed exploit summary This is a detailed technical analysis of multiple vulnerabilities in XCloner WordPress/Joomla! backup plugin, including arbitrary command execution via unsanitized input in exec() calls, cleartext MySQL password exposure, and predictable backup file names. The writeup includes vulnerable code snippets and root cause analysis.

Description

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors.

Exploits (1)

exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/35212

This is a detailed technical analysis of multiple vulnerabilities in XCloner WordPress/Joomla! backup plugin, including arbitrary command execution via unsanitized input in exec() calls, cleartext MySQL password exposure, and predictable backup file names. The writeup includes vulnerable code snippets and root cause analysis.

Classification
Writeup 95%
Attack Type
Rce | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!)
Auth required
Prerequisites: Administrative access to the plugin · Ability to configure backup settings
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0712
EPSS Percentile 93.4%

Details

CWE
CWE-200
Status published
Products (2)
xcloner/xcloner 3.1.1
xcloner/xcloner 3.5.1
Published Jun 10, 2015
Tracked Since Feb 18, 2026